Following the European Parliament’s adoption of a “General Approach” in June 2015, negotiations over the regulation’s final form are in the pipeline. The adoption represents the final stage of the negotiations between the European Commission, the European Parliament and the EU Council of Ministers, which means the regulations are on track for being put in place by the end of 2015.
Some adjustments in the final text of the Regulation are expected, but, whatever they may be, these are the ten steps that companies should take to ensure a high level of security, when personal data are processed:
- Put the protection of personal data between the Risk Management priorities. The Risk Management Officer must be aware of the risks represented by processing personal data of customers, suppliers and employees. His contribution in measuring risks is essential to scale up the investments needed to ensure the security of data.
- Involve corporate governance at various levels: Board and CEO, CRO, CCO and CIO. Get the right level of commitment to address the organisational and technological changes needed. Even if the core business of the company is not the management of personal data, those data represent a valuable asset to be protected in the interests of the company and stakeholders. Any damage or breach of these data is, in addition to a possible economic loss, a serious reputational damage for the company.
- Appoint in the organization chart of your company, the following:
- A Data Processor of personal data.
- A Controller of Personal data.
- A Data Protection Officer. The appointment of Data Protection Officer is mandatory for the PA, voluntary for other companies, unless the national law of the relevant Member State provides otherwise.
- Involve CIO in relation to ICT developments, to properly address the cybersecurity issues.
- Carry out a data protection impact assessment (PIA). The assessment will be organisational and technical, to identify gaps between the current situation and the target measures to put in place. In this assessment, the controller will take into account the nature, scope, context and purposes of the data controller’s business, as well as the likelihood and magnitude of the risks to the rights and freedoms of individuals.
- Check that your company has already formalized all procedures for acquiring consent from the Data Owner, including the right to be forgotten.
- Design a target process of personal data that ensures a level of security proportional to the risks. This target process is an implementation of appropriate technical and organisational measures. EU Data Protection Regulation identifies the following items:
- Privacy by design and data protection by default: data integrity must be a part of designing or purchasing procedures and computer applications.
- Security of processing: systems and services processing personal data must ensure the ongoing confidentiality, integrity, availability and resilience.
- Record of data processing activities: access to personal data must be traceable and traceability should be available to national authorities on request.
- Breach notification: the Data Processor must discover data damages or data breaches and the Data Controller must disclose them to the parties concerned and to the authorities, “without undue delay”. Recover from an accident must be complete and timely.
- Plan the development and the deployment of appropriate organizational and technical measures to bridge the gaps between the current practice and the target process. General Data Protection Regulation outlines a risk-based approach to this activity:
- Article 30 – The controller and the processor shall implement technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing, taking into account the result of a data protection impact assessment pursuant to Article 33, having regard to the stat of the art and the cost of their implementation.
- Article 31 and 32 – The obligation to report data breaches extends only to those breaches that are “likely to result in a high risk for the rights and freedoms of individuals”. If the compromised data is encrypted or otherwise protected, so that it remains unintelligible, the data controller is not required reporting the breach.
- Article 33 – Privacy impact assessments are required only for processing activities that likely involve “high” risk to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.
- Establish relations with EU bodies in charge of Data controllers established outside of the EU need to appoint a representative in the EU, unless for processing activities that are “occasional” and “unlikely to result in a risk” to the rights and freedoms of individuals.
- If your company processes sensitive personal data, put in place additional security measures to ensure situational awareness of risks and the ability to take preventive, corrective and mitigating action in near real time, according to Article 30.
Finally, it should be remembered that fines (still under discussion) of up to 5% of annual turnover would be significant enough to align the GDPR to the measures provided for anti-trust and anti-corruption!